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Key questions for improving your organization's 
cybersecurity performance 








Improve Your Performance 

The Baldrige Cybersecurity Excellence Builder self-assessment helps you understand and improve what is critical to 
your organization's cybersecurity risk management. It is a voluntary self-assessment based on the more detailed 
Framework for Improving Critical Infrastructure Cybersecurity, managed by NIST's Information Technology Laboratory, 
Applied Cybersecurity Division, and the Baldrige Excellence Framework, compiled by the Baldrige Performance Excel¬ 
lence Program at NIST. 
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For more information on the Baldrige Cybersecurity Initiative: 

www.nist.gov/baldrige/products-services/baldrige-cybersecurity-initiative 
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Introduction 


What is the Baldrige Cybersecurity Excellence Builder ? 

The Baldrige Cybersecurity Excellence Builder is a voluntary self-assessment tool that enables organizations to better 
understand the effectiveness of their cybersecurity risk management efforts. It helps your organization identify 
strengths and opportunities for improvement in managing cybersecurity risk based on your organization's mission, 
needs, and objectives. 

The Baldrige Cybersecurity Excellence Builder combines concepts in the Framework for Improving Critical Infrastructure 
Cybersecurity (Cybersecurity Framework; www.nist.gov/cyberframework) and the Baldrige Excellence Framework (www 
.nist.gov/baldrige/publications/baldrige-excellence-framework). Like those two sources, it is not a one-size-fits-all 
approach. It is adaptable and scalable to your organization's needs, goals, capabilities, and environment. It does not 
prescribe how you should structure your organization's cybersecurity policies and operations. Through interrelated sets 
of open-ended questions, it encourages you to use the approaches that best fit your organization. 

Using this self-assessment, you can 

• determine cybersecurity-related activities that are important to your business strategy and critical service delivery; 

• prioritize your investments in managing cybersecurity risk; 

• determine how best to enable your workforce, customers, suppliers, partners, and collaborators to be risk con¬ 
scious and security aware, and to fulfill their cybersecurity roles and responsibilities; 

• assess the effectiveness and efficiency of your use of cybersecurity standards, guidelines, and practices; 

• assess the cybersecurity results you achieve; and 

• identify strengths to leverage and priorities for improvement. 

What is the relationship between the Baldrige Cybersecurity Excellence 
Builder and the Framework for Improving Critical Infrastructure 
Cybersecurity ? 

The Baldrige Cybersecurity Excellence Builder blends the organizational performance and systems perspectives of the 
Baldrige Excellence Framework with the holistic, enterprise-based approach of the Cybersecurity Framework. 


Framework for 
Improving Critical 
Infrastructure 
Cybersecurity 

Cybersecurity Standards, 
Guidelines, Practices, 
and References 



Baldrige 

Excellence 

Framework 

Leading Edge of 
Validated Leadership 
and Performance 
Practice 


The Cybersecurity Framework assembles and organizes standards, guidelines, and practices that are working effectively 
in many organizations. It also includes informative references that are common across critical infrastructure sectors. In 
the Baldrige approach as applied to cybersecurity, an organization manages all areas affected by cybersecurity as a uni¬ 
fied whole. As shown in the diagram on the next page, the system consists of your cybersecurity-related approaches 
in the areas of leadership, strategy, customers, workforce, and operations, as well as the results you achieve. (As shown 
in the diagram, the Baldrige framework is based on a set of core values and concepts. For descriptions of these, see 
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the Baldrige framework booklet, www.nist.gov/baldrige/publications/baldrige-excellence-framework.) The system 
foundation is measurement, analysis, and knowledge management. The background for all of these components is the 
Organizational Context section, in which you define your organization's distinctive characteristics and situation. 



The Baldrige Cybersecurity Excellence Builder incorporates the content outlined in the Cybersecurity Framework into 
those system elements. See the User Tools section for a crosswalk showing how the items in the Baldrige Cybersecurity 
Excellence Builder relate to the elements of the Cybersecurity Framework. 

Who in an organization should use the Baldrige Cybersecurity Excellence 
Builder ? 

The Baldrige Cybersecurity Excellence Builder is intended for use by the leaders and managers in your organization 
who are concerned with and responsible for mission-driven, cybersecurity-related policy and operations. These leaders 
and managers may include senior leaders, chief security officers, and chief information officers, among others. For 
these and other roles and functions, and the benefits to each of using the Baldrige Cybersecurity Excellence Builder, see 
the User Tools section. 

Why does the Baldrige Cybersecurity Excellence Builder include 

questions about my organization as a whole? Why doesn't it ask only 
about my cybersecurity policies and operations? 

Because cybersecurity is an organization-wide concern, the Baldrige Cybersecurity Excellence Builder includes ques¬ 
tions about 

• your organizational and your cybersecurity leaders, 

• cybersecurity in the context of your organization's overall strategy, 

• the cybersecurity needs and expectations of internal and external customers, 

• the measurement of cybersecurity performance in the context of overall performance measurement, 

• your overall workforce and your cybersecurity workforce, 

• your cybersecurity operations and their alignment with overall operations, and 

• results related to each of these areas. 

Your organization's situation and cybersecurity risks are unique. Therefore, the Baldrige Cybersecurity Excellence Builder 
leads to you understand your organization's cybersecurity policies and operations in the context of its characteristics 
and strategic situation. 
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How can my organization use the Baldrige Cybersecurity Excellence 
Builder to assess and improve its management of cybersecurity risks? 

1. Scope 

The Baldrige Cybersecurity Excellence Builder is most valuable as a voluntary assessment of an entire organization's 
cybersecurity risk management program, but it is also useful in assessing a subunit, multiple subunits, or parts of an 
organization. 


2. Organizational Context 

The Organizational Context section is critically important 
for the following reasons: 

• It helps you identify gaps in key information and 
focus on key cybersecurity performance require¬ 
ments and results. 

• You can use it as an initial self-assessment. If you 
identify topics for which conflicting, little, or no 
information is available, you can use these topics 
for action planning. 

• It sets the context for and allows you to 
address unique aspects of your organization's 
cybersecurity-related needs in your responses to 
the questions in the rest of the Baldrige Cyber¬ 
security Excellence Builder. 

3. Process Questions (Categories 1-6) 



Measure and 
evaluate your 
progress. 


Complete the 
Organizational 
Context. 



Many of the questions in these 12 items begin with "how." 

In answering the questions, give information on your organization's key cybersecurity-related processes: 


• Approach: How do you accomplish your organization's cybersecurity-related work? How systematic are the key 
processes you use? 

• Deployment: How consistently are your key cybersecurity-related processes used in relevant parts of your 
organization? 

• Learning: How well have you evaluated and improved your key cybersecurity-related processes? How well have 
improvements been shared within your organization? 

• Integration: How well do your cybersecurity-related processes address your current and future organizational needs? 


4. Results Questions (Category 7) 

For these five items, give information on the cybersecurity-related residts that are the most important to your organi¬ 
zation's success: 


• Levels: For your key measures of the effectiveness and efficiency of cybersecurity-related processes, what is your 
current performance? 

• Trends: Are the results improving, staying the same, or getting worse? 

• Comparisons: How does your performance compare with that of other organizations and competitors, or with 
benchmarks? 

• Integration: Are you tracking cybersecurity-related results that are important to your organization and consider 
the expectations and needs of your key stakeholders? Are you using the results in decision making? 


5. Assess Your Responses 

Using the process and results assessment rubrics on pages 24 and 25, assign a descriptor (Reactive, Early, Developing, 
Mature, Leading, or Exemplary) to your responses to each item. 
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6. Prioritize Your Actions; Develop an Action Plan 

Then determine the importance of areas of strength and opportunities for improvement. Celebrate the strengths of 
your cybersecurity risk management program, and build on them to improve what you do well. Sharing what you do 
well with the rest of your organization can speed improvement. Also, prioritize your opportunities for improving your 
cybersecurity-related processes and results; you cannot do everything at once. Think about what is most important 
for your organization as a whole at this time, balancing the differing needs and expectations of your stakeholders and 
your expected results, and decide what to work on first. 

7. Measure and Evaluate Your Progress 

As you respond to the questions and gauge your responses against the rubric, you will begin to identify strengths and 
gaps—first within the categories and then among them. The coordination of key processes, and linkages between 
your processes and your results, can lead to cycles of improvement. As you continue to use this assessment tool, you 
will learn more about your organization and begin to define the best ways to build on your strengths, close gaps, and 
innovate. 

You might also consult relevant informative references listed in the Cybersecurity Framework. These specific sections 
of standards, guidelines, and practices common among critical infrastructure sectors illustrate methods to achieve the 
outcomes associated with cybersecurity functions. 

In addition, completing this voluntary self-assessment might serve as a first step in carrying out these suggestions in 
the Cybersecurity Framework, section 3.0 ("How to Use the Framework"): 

• 3.1 Basic Review of Cybersecurity Processes: Use the information gained from answering the self-assessment 
questions to compare your current cybersecurity-related activities with those outlined in the Cybersecurity Frame¬ 
work Core. 

• 3.2 Establishing or Improving a Cybersecurity Program: Use your answers to the self-assessment questions to 
inform the seven steps in creating or improving a cybersecurity program. 

• 3.3 Communicating Cybersecurity Requirements with Stakeholders: Your answers to the questions might inform 
the creation of a Target Profile to express cybersecurity risk management requirements to stakeholders. 

Baldrige Cybersecurity Excellence Builder Category Structure 


Category title • • 


Item title 


► 


Key questions 
to answer 


Q Customers >.■ •' 

Your customers are the ultimate judges of the quality of your organization's products and services. Cybersecurity risk can 
harm your ability to gain and maintain customers. Thus, your organization must consider all cybersecurity-related product and 
service features and modes of access and support that contribute value to your customers. 

What to measure? See item 7.2, Customer Results. . 

3.1 Voice of the Customer: How do you obtain cybersecurity-related information from 
your customers? 

(1) HOW do you listen to, interact with, and observe internal and external CUSTOMERS to obtain actionable information 
on their CYBERSECURITY-related requirements and expectations? 

(2) HOW do you determine internal and external CUSTOMERS'satisfaction and dissatisfaction with your organization's 
CYBERSECURITY policies and operations? 

(3) HOW do you determine the impact of your organization's CYBERSECURITY policies and operations on CUSTOMER 
ENGAGEMENT? 

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 


Notes 

3.1. The voice of the customer refers to your process for 
capturing customer-related information. In listening to the 
voice of the customer, you might gather and integrate vari¬ 
ous types of customer data, such as survey data, focus group 
findings, blog comments and data from other social media, 
and complaint data. 

Q2. You might use any or all of the following to determine 
customer satisfaction and dissatisfaction: surveys, formal and 
informal feedback, customer account histories, complaints, 
customer referral rates, and transaction completion rates. 


Q3. Customer engagement is your customers'investment in 
or commitment to your brand and product/service offerings. 
It is based on your ongoing ability to serve their needs and 
build relationships so that they will continue using your 
products. Characteristics of engaged customers include 
retention, brand loyalty, willingness to make an effort to 
do business—and increase their business—with you, and 
willingness to actively advocate for and recommend your 
brand and product/service offerings. 


Why is this category 
important to 
cybersecurity? 

What should my 
organization measure 
for this category? 


Explanatory 

notes 
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Organizational Context 


Having a clear understanding of your organization, why it exists, where your senior leaders want to take it in the future, who 
your key stakeholders are, what their expectations are, and what resources support critical functions will enable you to make and 
implement strategic decisions about cybersecurity risks, policies, and operations. 

C.l Organizational Description: What are your key organizational characteristics? 

a. Organizational Environment 

(1) Product Offerings What are your organization's main product and service offerings? What is the relative impor¬ 
tance of each to your success? What mechanisms do you use to deliver your products and services? 

(2) Mission, Vision, and VALUES What are your stated MISSION, VISION, and VALUES? What are your organization's 
CORE COMPETENCIES, and what is their relationship to your MISSION? 

(3) WORKFORCE Profile What is your overall WORKFORCE profile? What is your CYBERSECURITY WORKFORCE profile? 
What recent changes have you experienced in the composition of your overall and your CYBERSECURITY WORKFORCE 
or in your needs for them? What are 

• your overall WORKFORCE and CYBERSECURITY WORKFORCE employee groups and SEGMENTS; and 

• the KEY drivers that engage them in accomplishing their work, including CYBERSECURITY-related work, and in 
achieving your MISSION and VISION? 

(4) Assets What are your organization's major physical and virtual assets, including its data, knowledge, devices, 
systems, facilities, and equipment? What are your priorities for protecting these assets, based on their criticality and 
business VALUE? 

(5) Legal and Regulatory Requirements What are the KEY laws and regulations relating to CYBERSECURITY in your 
industry? What are the KEY applicable 

• safety regulations relating to CYBERSECURITY; 

• accreditation, certification, or registration requirements relating to CYBERSECURITY; 

• industry CYBERSECURITY standards; and 

• environmental, financial, and product regulations relating to CYBERSECURITY? 

b. Organizational Relationships 

(1) Organizational Structure What are your overall organizational leadership structure and GOVERNANCE system? 

What are the reporting relationships among your GOVERNANCE board, SENIOR LEADERS, and parent organization, as 
appropriate? What is the structure of your CYBERSECURITY operations? What are the reporting relationships among 
your SENIOR LEADERS and your CYBERSECURITY leaders and managers? 

(2) Customers and Stakeholders What are your KEY internal and external CUSTOMER groups and STAKEHOLDER 
groups, as appropriate? What are their KEY requirements and expectations for your CYBERSECURITY policies and 
operations? What are the differences in these requirements and expectations among CUSTOMER groups and 
STAKEHOLDER groups? 

(3) Suppliers and PARTNERS What are your KEY types of suppliers, PARTNERS, and COLLABORATORS for your organiza¬ 
tion as a whole and for your CYBERSECURITY operations? What role do they play in producing and delivering your 
KEY products and services and your CUSTOMER support services? What CYBERSECURITY roles do they play in your 
organization? What are your KEY mechanisms for two-way communication with suppliers, PARTNERS, and 
COLLABORATORS? What are your KEY supply-chain requirements? 


Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 
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Notes 


C.1a(2). Core competencies are your organization's areas 
of greatest expertise. They are those strategically important, 
possibly specialized capabilities that are central to fulfilling 
your mission or that provide an advantage in your market¬ 
place or service environment. Your core competencies should 
inform the decisions you make about cybersecurity roles, 
responsibilities, and risks. 

C.1a(3). "Workforce"refers to the people actively involved 
in accomplishing your organization's work. It includes 
permanent, temporary, and part-time personnel, as well as 
any contract employees you supervise. You should describe 
your suppliers in response to C.lb(3). 

C.1a(3). Workforce or employee groups and segments might 
be based on type of employment or contract-reporting 
relationship, location (including telework), tour of duty, work 


environment, or other factors. Your cybersecurity workforce 
profile might include information on education, tenure, 
certifications, and other key characteristics. This information 
will help you establish and manage cybersecurity roles and 
responsibilities for the entire workforce. 

C.1a(4). Assets include physical devices and systems, soft¬ 
ware platforms and applications, operational technologies, 
intellectual property, organizational communication and 
data flows, external information systems (including "cloud 
services"), and data and information. Your responses should 
include those high-value assets that support the strategically 
important products and services you describe in C.la(l). 

C.1b(2). Customer groups might be based on common 
expectations, behaviors, preferences, or profiles. 


C.2 Organizational Situation: What is your organization's strategic situation? 

a. Competitive Environment 

(1) Competitive Position What is your competitive position? What are your relative size and growth in your industry 
or the markets you serve? How many and what types of competitors do you have? 

(2) Competitiveness Changes What KEY changes, if any, are affecting your competitive situation? 

(3) Comparative Data What KEY sources of comparative and competitive CYBERSECURITY data are available from 
within your industry? What KEY sources of comparative CYBERSECURITY data are available from outside your indus¬ 
try? What limitations, if any, affect your ability to obtain or use these data? 

b. Strategic Context 

What are your KEY STRATEGIC CHALLENGES and ADVANTAGES in the areas of business, operations, and CYBERSECURITY? 

c. Performance Improvement System 

What are the KEY elements of your PERFORMANCE improvement system, including your PROCESSES for evaluation and 

improvement of KEY CYBERSECURITY-related projects and PROCESSES? 

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 


Notes 

C.2a(3). While comparative data about cybersecurity may 
be relatively sparse, their use is important for the following 
reasons: (1) Your organization needs to know where it stands 
relative to competitors and to best practices; (2) comparative 
information and information obtained from benchmarking 
often provide the impetus for significant improvement or 
transformational change; (3) comparing your organization's 
performance to that of others frequently leads to a better 
understanding of your processes and their performance; (4) 
data on competitors'performance may reveal organizational 
advantages as well as challenge areas; and (5) comparative 


information may support business analysis and decisions 
relating to core competencies, partnering, and outsourcing. 

C.2c. Your performance improvement system refers to your 
overall approach to improving processes and projects within 
your organization. The approach you use should be related 
to your organization's needs. Some examples of approaches 
that are compatible with the overarching systems approach 
provided by this self-assessment are Lean, Six Sigma, Plan- 
Do-Check-Act, ISO standards, and decision science, among 
others. 
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Leadership 


The personal actions of your senior leaders and cybersecurity leaders, as well as the characteristics of your governance system, 
demonstrate and reinforce accountability, and guide and sustain your cybersecurity policies and operations. 

What to measure? See category 7 for organizational performance results to report. See item 7.4 for results specifically related 
to leadership and governance. 


1.1 Leading for Cybersecurity: How do your senior and cybersecurity leaders lead your 
cybersecurity policies and operations? 

(1) HOW do your leaders DEPLOY the organization's MISSION, VISION, and VALUES to the WORKFORCE, to KEY suppliers 
and PARTNERS, and to KEY CUSTOMERS and other STAKEHOLDERS, as appropriate? 

(2) HOW do your leaders' actions demonstrate their commitment to CYBERSECURITY? 

(3) HOW do your leaders' actions demonstrate their commitment to legal and ETHICAL BEHAVIOR? 

(4) HOW do your leaders communicate with and engage other organizational leaders, the WORKFORCE, and KEY 
CUSTOMERS and STAKEHOLDERS regarding CYBERSECURITY? 

(5) HOW do your leaders create an environment for CYBERSECURITY policies and operations that are successful now and 
in the future? 

( 6 ) HOW do your leaders create a focus on action that will achieve the organization's CYBERSECURITY objectives in 
ALIGNMENT with its MISSION? 


Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 


Notes 

1.1. In this item, "leaders" includes your organization's 
senior leaders and those specifically responsible for 
overseeing and executing cybersecurity risk management 
and operations. Leadership on cybersecurity policies and 
approaches ideally resides at multiple organizational levels. 
Your organization should decide whether each question 
refers to all senior leaders or your cybersecurity leaders. 

Qi . Your organization's mission and vision should set the 
context for the cybersecurity-related strategic objectives and 
action plans you describe in items 2.1 and 2.2. 

Q4. This includes encouraging frank, two-way communica¬ 
tion about cybersecurity; communicating key decisions; and 
taking a direct role in motivating the workforce, including by 
participating in reward and recognition programs. 


Q5. To create an environment for cybersecurity policies 
and operations that are successful now and in the future, 
leaders should create an environment for operational agility, 
cultivate organization learning and learning for workforce 
members, and create a workforce culture that fosters 
engagement in cybersecurity matters. A successful organiza¬ 
tion, understanding that some risk is always present, 
determines and oversees its risk appetite and risk tolerance. 

Q6. In creating a focus on action that will achieve the 
organization's objectives, leaders should create a focus on 
action that will improve your organization's cybersecurity 
performance in the context of its mission and strategy; 
identify needed actions; set expectations for performance 
that create and balance value for customers and other 
stakeholders; and demonstrate personal accountability for 
the organization's actions. 
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1.2 Governance and Societal Responsibilities: How do you govern your cybersecurity 
policies and operations and fulfill your cybersecurity-related societal responsibilities? 

(1) HOW does your organization ensure responsible GOVERNANCE of its CYBERSECURTTY policies and operations? 

(2) HOW do you address and anticipate legal, regulatory, and community concerns with your CYBERSECURITY-related 
policies and operations? 

(3) HOW do you promote and ensure ETHICAL BEHAVIOR in all CYBERSECURITY-related interactions? 

(4) HOW do you actively support and strengthen the CYBERSECURITY infrastructure of your KEY communities? 

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 


Notes 

Q1. Responsible governance of cybersecurity policies and 
operations includes accountability for these policies and 
operations, accountability for strategic plans, fiscal account¬ 
ability, transparency, and protection of stakeholder and 
stockholder interests, as appropriate. In protecting stake¬ 
holder interests, the governance system should consider 
and sanction appropriate levels of risk for the organization, 
recognizing the need to accept risk as part of running a 
successful organization. 

Q3. Some examples of measures of ethical behavior are 
the percentage of independent board members, instances 
of ethical conduct or compliance breaches and responses 
to them, survey results showing workforce perceptions of 
organizational ethics, ethics hotline use, and results of ethics 
reviews and audits. 


Q4. To support and strengthen key communities, an 
organization might identify its key communities, determine 
areas for external participation in improving cybersecurity 
infrastructure, and contribute to the improvement of 
cybersecurity in those key communities by actively sharing 
information. This might include contributing comparative 
data on cybersecurity outcomes and actively sharing 
information with partners to ensure that accurate, current 
information is being distributed and consumed to improve 
cybersecurity before a cybersecurity event occurs. 
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Strategy 


Managing cybersecurity risk requires clear and robust planning and implementation, particularly when improvement alterna¬ 
tives and the need to respond to unanticipated needs compete for limited resources. 

What to measure? Many results covered in category 7 will flow from your strategy. See item 2.2, Q5, on establishing measures 
for the achievement and effectiveness of your cybersecurity-related action plans. See item 7.4, Q6, for results for strategy 
achievement. 


2.1 Strategy Development: How do you include cybersecurity considerations in your 
strategy development? 

(D HOW do you include CYBERSECURITY planning in your overall organizational strategic planning PROCESS? 

(2) HOW do you ensure ALIGNMENT between your CYBERSECURITY planning and your organization's overall strategic 
planning? 

(3) HOW does your strategy development PROCESS stimulate and incorporate INNOVATION in CYBERSECURITY policies 
and operations? 

(4) HOW do you collect and analyze relevant data and develop information on CYBERSECURITY for your strategic 
planning PROCESS? 

(5) HOW do you decide which KEY CYBERSECURITY PROCESSES will be accomplished by your WORKFORCE and which by 
external suppliers and PARTNERS? 

( 6 ) What are your organization's KEY CYBERSECURITY-related STRATEGIC OBJECTIVES and timetable for achieving them? 

(7) How do your organization's KEY CYBERSECURITY-related STRATEGIC OBJECTIVES align with your organization's overall 
STRATEGIC OBJECTIVES? 

(8) HOW do your STRATEGIC OBJECTIVES achieve appropriate balance among varying and potentially competing 
CYBERSECURITY needs, CUSTOMER and STAKEHOLDER requirements, and business objectives? 

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 


Notes 

2.1 . Strategy development refers to your organization's 
approach to preparing for the future. This item asks how 
your strategic planning considers your organization's 
cybersecurity needs in alignment with your organization's 
overall strategy. 

2.1 . In developing your cybersecurity strategy, you should 
consider your level of acceptable enterprise risk. As 
appropriate, you might involve key suppliers, distributors, 
partners, and customers in your cybersecurity strategy 
development. 

Q3. Stimulating and incorporating innovation includes 
identifying strategic opportunities (prospects for new or 
changed cybersecurity policies, procedures, technologies, 
and processes) and deciding which ones are intelligent risks 
to pursue. Innovation refers to making meaningful change 
to improve products/services, processes, or organizational 
effectiveness and create new value for stakeholders. The 
outcome of innovation is a discontinuous or "breakthrough" 
change. 


Q4. Your collection and analysis should include these key 
elements of risk: your strategic challenges and strategic 
advantages with regard to cybersecurity, potential relevant 
changes in your regulatory and external business environ¬ 
ment, potential blind spots with regard to cybersecurity, 
and your ability to execute the cybersecurity-related parts of 
the plan. Your decisions about these elements may give rise 
to organizational risk. Analysis of these factors is the basis 
for managing strategic cybersecurity-related risk in your 
organization. 

Q5. Decisions on which key cybersecurity processes will 
be accomplished by your workforce and which externally 
should consider your core competencies and those of 
potential suppliers and partners. This is a fundamental 
consideration in your key cybersecurity work systems 
(consisting of how your cybersecurity-related work is 
accomplished through internal work processes and external 
resources). These decisions are strategic and involve protect¬ 
ing intellectual property, capitalizing on core competencies, 
and mitigating risk. 
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2.2 Strategy Implementation: How do you implement the cybersecurity-related elements 
of your strategy? 

(1) What are your KEY short- and longer-term CYBERSECURITY-related ACTION PLANS? 

(2) HOW do you DEPLOY your CYBERSECURITY-related ACTION PLANS? 

(3) HOW do you ensure that financial and other resources are available to support the achievement of your 
CYBERSECURITY-related ACTION PLANS while you meet current obligations? 

(4) What are your KEY WORKFORCE plans to support your short- and longer-term CYBERSECURITY-related STRATEGIC 
OBJECTIVES and ACTION PLANS? 

(5) What KEY PERFORMANCE MEASURES or INDICATORS do you use to track the achievement and EFFECTIVENESS of your 
CYBERSECURITY-related ACTION PLANS? 

(6) For these KEY PERFORMANCE MEASURES or INDICATORS, what are your PERFORMANCE PROJECTIONS for your short- 
and longer-term planning horizons? 

(7) HOW do you establish and implement modified CYBERSECURITY-related ACTION PLANS if circumstances require a 
shift in plans and rapid execution of new plans? 

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 


Notes 

2.2. The development and deployment of your strategy 
(described in item 2.1) and action plans relating to cyber¬ 
security are closely linked to other items. The following are 
examples of key linkages: 

• Item 1.1: how your leaders communicate organiza¬ 
tional direction with regard to cybersecurity 

• Category 3: how you gather internal and external 
customer knowledge as input to your strategy and 
action plans and to use in deploying action plans 

• Category 4: how you measure and analyze cyber¬ 
security data and manage cybersecurity knowledge to 
support key information needs, support the develop¬ 
ment of your strategy, provide an effective basis for 
cybersecurity performance measurements, and track 
progress on achieving cybersecurity-related strategic 
objectives and action plans 


• Category 5: how you meet cybersecurity work¬ 
force capability and capacity needs; determine 
cybersecurity-related development and learning needs, 
and design your workforce development and learning 
system accordingly; and implement workforce-related 
changes resulting from action plans 

• Category 6: how you address changes to your cyber¬ 
security work processes resulting from action plans 

• Item 7.1: specific accomplishments on the cybersecurity- 
related elements of your strategy and action plans 
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Customers 


Your customers are the ultimate judges of the quality of your organization's products and services. Cybersecurity risk can 
harm your ability to gain and maintain customers. Thus, your organization must consider all cybersecurity-related product and 
service features and modes of access and support that contribute value to your customers. 

What to measure? See item 7.2, Customer Results. 


3.1 Voice of the Customer: How do you obtain cybersecurity-related information from 
your customers? 

(1) HOW do you listen to, interact with, and observe internal and external CUSTOMERS to obtain actionable information 
on their CYBERSECURITY-related requirements and expectations? 

(2) HOW do you determine internal and external CUSTOMERS' satisfaction and dissatisfaction with your organization's 
CYBERSECURITY policies and operations? 

(3) HOW do you determine the impact of your organization's CYBERSECURITY policies and operations on CUSTOMER 
ENGAGEMENT? 

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 


Notes 

3.1. The voice of the customer refers to your process for 
capturing customer-related information. In listening to the 
voice of the customer, you might gather and integrate vari¬ 
ous types of customer data, such as survey data, focus group 
findings, blog comments and data from other social media, 
and complaint data. 

Q2. You might use any or all of the following to determine 
customer satisfaction and dissatisfaction: surveys, formal and 
informal feedback, customer account histories, complaints, 
customer referral rates, and transaction completion rates. 


Q3. Customer engagement is your customers' investment in 
or commitment to your brand and product/service offerings. 
It is based on your ongoing ability to serve their needs and 
build relationships so that they will continue using your 
products. Characteristics of engaged customers include 
retention, brand loyalty, willingness to make an effort to 
do business—and increase their business—with you, and 
willingness to actively advocate for and recommend your 
brand and product/service offerings. 
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3.2 Customer Engagement: How do you engage customers in cybersecurity by serving 
their needs and building relationships? 

(D HOW do you enable internal and external CUSTOMERS to seek information and support related to your 
CYBERSECURITY policies and operations? 

(2) HOW do you ensure that internal and external CUSTOMERS understand and fulfill their CYBERSECURITY roles and 
responsibilities? 

(3) HOW do you build and manage internal and external CUSTOMER relationships to retain CUSTOMERS, meet their 
requirements, and exceed their expectations with regard to CYBERSECURITY? 

(4) HOW do you manage internal and external CUSTOMER complaints about your CYBERSECURITY policies and 
operations? 

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 


Note 

Q1 . Your approach to enabling customers to seek informa¬ 
tion and support should include provisions to protect 
privacy and civil liberties when personal information is used, 
collected, processed, maintained, or disclosed in connection 
with your organization's cybersecurity activities. Some 
examples of activities with privacy or civil liberties consid¬ 
erations include cybersecurity activities that may result in 
the overcollection or overretention of personal information; 
disclosure or use of personal information unrelated to cyber¬ 
security activities; and cybersecurity mitigation activities that 
result in denial of service or other similar potentially adverse 


impacts, including incident detection or monitoring that 
may impact freedom of expression or association. 

Privacy principles to consider incorporating in cybersecurity 
policies and operations include minimizing the collection, 
disclosure, and retention of personal information; use limita¬ 
tions outside of cybersecurity activities on any information 
collected specifically for cybersecurity activities; transparency 
for certain cybersecurity activities; and individual consent 
and redress for adverse impacts arising from use of personal 
information in cybersecurity activities. 
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Q Measurement, Analysis, and Knowledge Management 

This category is the"brain center"for aligning your cybersecurity operations with your objectives. Measuring and analyzing 
how your organization is performing on a comprehensive yet carefully culled set of cybersecurity-related measures helps you 
make decisions that improve performance. 

What to measure? Q2 and Q3 ask for your key cybersecurity performance measures, including your key financial measures. 

See the notes to Q2 and Q3 for an explanation. 

4.1 Measurement, Analysis, and Improvement of Performance: How do you measure, 
analyze, and then improve cybersecurity-related performance? 

(1) HOW do you track data and information on daily CYBERSECURITY operations and overall CYBERSECURITY 
PERFORMANCE? 

(2) What are your KEY CYBERSECURITY PERFORMANCE MEASURES, including your KEY financial MEASURES for your 
CYBERSECURITY operations? 

(3) What are your KEY MEASURES for the impact of CYBERSECURITY PERFORMANCE on your organization's overall 
KEY PERFORMANCE MEASURES? 

(4) HOW do you select comparative data and information to support fact-based decision making on CYBERSECURITY 
policies and operations? 

(5) HOW do you select VOICE-OF-THE-CUSTOMER and market data and information to support fact-based decision 
making on CYBERSECURITY policies and operations? 

( 6 ) HOW do you ensure that your measurement of CYBERSECURITY PERFORMANCE can respond to rapid or unexpected 
organizational or external changes? 

(7) HOW do you review your organization's CYBERSECURITY PERFORMANCE and capabilities? 

( 8 ) HOW do you project your organization's future CYBERSECURITY PERFORMANCE? 

(9) HOW do you use findings from PERFORMANCE reviews (addressed in question 6) to develop and DEPLOY priorities 
for continuous improvement and opportunities for INNOVATION in your CYBERSECURITY policies and operations? 

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 


Notes 

4.1. This item asks how your organization's overall 
performance measurement and analysis system includes 
the measurement and analysis of cybersecurity-related 
performance. The results of performance analysis and review 
should inform the development and implementation of 
the cybersecurity-related elements of your organization's 
strategy (see category 2). 

Q2. Your key cybersecurity performance measures are 
those that are critical to achieving the cybersecurity-related 
strategic objectives described in category 2. Depending on 
your organization's strategy and goals, these might include 
measures of customer and process performance; operational 
performance; supplier, workforce, partner, cost, and financial 
performance; and governance and compliance results. 

Q2, Q3. Key financial measures for your cybersecurity oper¬ 
ations might include measures of performance to budget. 
Measures for the impact of cybersecurity performance on 
your organization's overall performance might include the 


financial impact of cybersecurity operations and incidents on 
organization-wide operations, as well as on your ability to 
meet customer and stakeholder requirements and business 
objectives. See the notes to item 7.5 for specific examples. 

Q4. Organizations obtain comparative data and information 
by benchmarking and by seeking competitive comparisons. 
Benchmarking is identifying processes and results that 
represent best practices and performance for similar activi¬ 
ties, inside or outside your industry. Competitive comparisons 
relate your performance to that of competitors and other 
organizations providing similar products and services. 

Q7. Your reviews of cybersecurity performance should be 
informed by performance measures identified throughout 
this self-assessment tool, and they should be guided by 
the strategic objectives and action plans you identify in 
category 2. Reviews might include a review by your organi¬ 
zation's governance board. 
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4.2 Knowledge Management: How do you manage your organization's cybersecurity- 
related knowledge assets? 

(1) HOW do you verify and ensure the quality of organizational data and information related to CYBERSECURITY? 

(2) How do you ensure the availability of organizational data and information related to CYT3ERSECURITY? 

(3) HOW do you build, manage, and update your organization's CYBERSECURITY-related knowledge and awareness? 

(4) HOW do you share CYBERSECURITY best practices in your organization and with CUSTOMERS, suppliers, and 
PARTNERS, as appropriate? 

(5) HOW do you use your knowledge and resources to embed LEARNING in the way your CYBERSECURITY operations 
function? 


Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 


Notes 

Q3. Building, managing, and updating cybersecurity-related 
knowledge allows you to maintain your organization's 
awareness of a continually changing cybersecurity threat 
environment. It involves collecting and transferring 
workforce knowledge related to cybersecurity; blending and 
correlating cybersecurity-related data from different sources 
(including other organization) to build new knowledge; 
transferring relevant cybersecurity-related knowledge from 
and to customers, suppliers, partners, and collaborators; and 
assembling and transferring relevant cybersecurity-related 
knowledge for use in innovation and strategic planning 
processes. 

Sources for building and updating your organization's 
cybersecurity-related knowledge and awareness may 
include, for example, cybersecurity information learned from 
other organizations, service tickets reported to the help desk. 


lessons learned from recovery exercises, and data reported 
by customers. An important element of cybersecurity risk 
management includes the ability to predict and avoid 
cybersecurity incidents based on lessons learned and/or 
information shared by partners and others. 

Q5. Embedding learning in the way your cybersecurity 
operations function means that learning (1) is a part of 
everyday cybersecurity work; (2) results in solving problems 
at their source; (3) is focused on building and sharing 
cybersecurity knowledge throughout your organization; 
and (4) is driven by opportunities to bring about significant, 
meaningful change and to innovate with regard to cyber¬ 
security. Organizational learning takes place when processes 
intentionally include mechanisms that monitor performance 
and conformance, identify improvement targets, analyze 
gaps, and prioritize improvements. 
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5 


Workforce 


Success in achieving your cybersecurity-related objectives depends on an engaged workforce—including workforce members 
involved directly in cybersecurity-related operations and members of your overall workforce. This workforce benefits from 
meaningful work, clear organizational direction, the opportunity to learn, and accountability for performance. 

What to measure? See item 7.3, Workforce Results. 

5.1 Workforce Environment: How do you build an effective and supportive environment 
for your cybersecurity workforce? 

(1) HOW do you assess your CYBERSECURITY WORKFORCE CAPABILITY and CAPACITY needs? 

(2) HOW do you recruit, hire, place, and retain new CYBERSECURITY WORKFORCE members? 

(3) HOW do you organize and manage your CYBERSECURITY WORKFORCE to establish roles and responsibilities? 

(4) HOW do you prepare your CYBERSECURITY WORKFORCE for changing CAPABILITY and CAPACITY needs? 

Terms in SMALL CAPS are defined in the Clossary of Key Terms (pages 26-27). 


Notes 

5.1. The questions in this item refer to your cybersecurity 
workforce. See item 5.2 for questions on your entire 
workforce. 

5.1. Your cybersecurity workforce consists of the people 
actively involved in accomplishing your organization's 
cybersecurity work. It includes permanent, temporary, and 
part-time personnel, as well as any contract employees 
you supervise. It includes team leaders, supervisors, and 
managers at all levels. Suppliers and people supervised by a 
contractor should be addressed in categories 2 and 6. 

Q1. Cybersecurity workforce capability is your organiza¬ 
tion's ability to carry out its cybersecurity work processes 
through its people's knowledge, skills, abilities, and 
competencies. Cybersecurity workforce capacity is your 
organization's ability to ensure sufficient staffing levels to 
carry out its cybersecurity work processes, including the 


ability to meet seasonal or varying demand levels. In assess¬ 
ing your cybersecurity workforce capability and capacity 
needs, you should consider not only current needs but also 
future requirements based on the strategic objectives and 
action plans you identify in category 2. 

Q2. This question refers only to new cybersecurity 
workforce members. For the retention of existing workforce 
members, see item 5.2, Workforce Engagement. 

Q4. Preparing your cybersecurity workforce for changing 
capability and capacity needs involves ensuring continuity, 
preventing workforce reductions, and minimizing the impact 
of any reductions that occur. It also involves preparing for 
and managing any periods of workforce growth, as well 
as preparing your workforce for changes in organizational 
structure and work systems, as needed. 
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5.2 Workforce Engagement: How do you engage your workforce to achieve a high- 

performance work environment in support of cybersecurity policies and operations? 

(1) HOW do you foster an organizational culture that is characterized by open communication, HIGH PERFORMANCE, 
and a WORKFORCE that is engaged in CYBERSECURITY matters? 

(2) HOW do you assess the ENGAGEMENT of your organization's overall WORKFORCE in CYBERSECURITY matters? 

(3) HOW does your WORKFORCE PERFORMANCE management system support WORKFORCE ENGAGEMENT in 
CYBERSECURITY matters and HIGH PERFORMANCE in fulfilling CYBERSECURITY roles and responsibilities? 

(4) HOW does your LEARNING and development system support your organization's needs and the development of 
your organization's overall WORKFORCE members, managers, and leaders in fulfilling CYBERSECURITY roles and 
responsibilities? 

(5) HOW do you evaluate the EFFECTIVENESS and efficiency of your CYBERSECURITY LEARNING and development system? 

( 6 ) HOW do you carry out succession planning for KEY CYBERSECURITY management and leadership positions? 

Terms in SMALL CAPS are defined in the Clossary of Key Terms (pages 26-27). 


Notes 

5.2. The questions in this item refer to your organization's 
entire workforce. 

Q1. Fostering such a culture includes empowering your 
workforce and ensuring a safe, trusting, and cooperative 
environment. 

Q2. Drivers of workforce engagement (identified in C.la[3]) 
refer to the drivers of workforce members' commitment, 
both emotional and intellectual, to accomplishing the 
organization's work (including cybersecurity-related work), 
mission, and vision. 


Q3. Your workforce performance management system 
should consider compensation, reward, recognition, and 
retention practices. It should reinforce intelligent risk taking, 
a customer and business focus, and achievement of your 
action plans. 

Q4. Learning and development needs include the knowl¬ 
edge, skills, and abilities workforce members need to fulfill 
their cybersecurity roles and responsibilities. Organizations 
benefit when an understanding of these needs becomes part 
of the organizational culture, evolving from lessons learned 
from previous security activities, information shared by other 
sources, and continuous awareness of activities on their 
systems and networks. 
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Operations 


Designing, managing, and improving your cybersecurity-related operations for effectiveness and efficiency helps you achieve 
your cybersecurity-related objectives, in turn supporting your organization's overall goals and objectives. 

What to measure? See item 7.1, Cybersecurity Process Results. 


6.1 Work Processes: How do you design, manage, and improve your key cybersecurity 
work processes? 

a. Cybersecurity Process Design, Management, and Improvement 

(1) HOW do you determine KEY CYBERSECURITY WORK PROCESS requirements? 

(2) HOW do you design your CYBERSECURITY WORK PROCESSES to meet requirements? 

(3) How does your day-to-day operation of CYBERSECURITY WORK PROCESSES ensure that they meet KEY PROCESS 
requirements? 

(4) HOW do you determine the KEY support PROCESSES that enable your CYBERSECURITY operations? 

(5) HOW do you improve your CYBERSECURITY WORK PROCESSES to improve their PERFORMANCE and reduce variability? 

( 6 ) HOW do you pursue opportunities for INNOVATION in your CYBERSECURITY operations? 

b. Protection of Assets and Systems 

(1) HOW do you limit access to physical and logical assets and associated facilities to authorized users, PROCESSES, or 
devices consistent with the risk of unauthorized access? 

(2) HOW do you manage information and records (data) consistent with your risk strategy to PROTECT their 
confidentiality and integrity, and ensure their availability? 

(3) HOW do you maintain and use security policies (addressing purpose, scope, roles, responsibilities, management 
commitment, and coordination among organizational entities), PROCESSES, and procedures to manage PROTECTION 
of information systems and assets? 

(4) HOW do you maintain and repair industrial control and information system components consistent with policies 
and procedures? 

(5) HOW do you manage technical security solutions to ensure the security and resilience of systems and assets 
consistent with related policies, procedures, and agreements? 

c. Detection of Cybersecurity Events 

(1) HOW do you DETECT anomalies in a timely manner and assess the impact of CYBERSECURITY events? 

(2) HOW do you monitor information systems and assets at discrete intervals to identify CYBERSECURITY events and 
verify the effectiveness of protective measures? 

(3) HOW do you maintain and test DETECTION PROCESSES and procedures to ensure timely and adequate awareness of 
anomalies? 

d. Response to Cybersecurity Events 

(1) HOW do you execute and maintain RESPONSE PROCESSES and procedures to ensure timely RESPONSE to detected 
CYBERSECURITY events? 

(2) HOW do you coordinate RESPONSE activities with other WORKFORCE units, CUSTOMERS, and STAKEHOLDERS, as 
appropriate, including external law enforcement agencies? 

(3) HOW do you analyze your RESPONSE activities to ensure adequate RESPONSE and support RECOVERY activities? 

(4) HOW do you limit expansion of an event, mitigate its effects, and eradicate the event? 

e. Recovery from Cybersecurity Events 

(1) HOW do you execute and maintain RECOVERY PROCESSES and procedures to ensure timely restoration of systems or 
assets affected by CYBERSECURITY events? 

(2) HOW do you coordinate RECOVERY activities with other WORKFORCE units, CUSTOMERS, and STAKEHOLDERS, such as 
coordinating centers, Internet service providers, victims, other computer security incident RESPONSE teams, and vendors? 

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 
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Notes 

6.1 a(1), 6.1 a(2). The design of your key cybersecurity work 
processes should consider your customers' and stakeholders' 
requirements and expectations of your organization, and of 
its products and services. 

6.1 a(3). Ensuring that your day-to-day operation of 
cybersecurity work processes meets requirements includes 
establishing key performance measures or in-process 
measures to control and improve these processes. 

6.1 a(4). Support processes for your key cybersecurity work 
processes might include those for finance and human 
resources, for example. 

6.1 a(5). The results of improvements in process perfor¬ 
mance should be reported in item 7.1. To improve process 
performance and reduce variability, you might implement 
approaches such as a Lean Enterprise System, Six Sigma 
methodology, ISO quality system standards, PDCA meth¬ 
odology, decision sciences, or other process improvement 


tools. These approaches might be part of the performance 
improvement system you describe in C.2c in the Organiza¬ 
tional Context section. 

6.1b-6.1e. The Cybersecurity Framework Core includes the 
functions of Identify, Protect, Detect, Respond, and Recover. 
These functions organize basic cybersecurity activities 
at their highest level. The Core identifies underlying key 
categories and subcategories for each function, and matches 
them with examples of informative references, such as 
existing standards, guidelines, and practices. Protect, Detect, 
Respond, and Recover are covered in this item. The Identify 
function is covered by questions in the Organizational 
Context and in categories 1, 2, 3, and 5. 

6.1 b-6.1 e. Your responses should include aspects of your 
work processes that involve external suppliers and partners, 
such as third-party connections into your organization's 
networks and systems. 


6.2 Operational Effectiveness: How do you ensure effective management of your 
cybersecurity operations? 

(1) HOW do you control the overall costs of your CYBERSECURITY operations? 

(2) HOW do you manage your CYBERSECURITY-related supply chain? 

(3) HOW do you ensure that all your suppliers and PARTNERS understand and fulfill their CYBERSECURITY roles and 
responsibilities? 

(4) HOW do you ensure that your CYBERSECURITY operations consider their impact on and align with your 
organization's overall operations? 

(5) HOW do you ensure that your CYBERSECURITY operations consider and align with your organization's overall 
operational safety system? 

( 6 ) HOW do you ensure that your organization incorporates CYBERSECURITY-related considerations and operations in its 
preparation for disasters or emergencies? 

(7) In the event of an emergency, HOW do you ensure that systems and assets continue to be secure and available to 
serve CUSTOMERS and business needs? 

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 


Notes 

Q2. Managing your supply chain includes selecting suppli¬ 
ers and ensuring that they are qualified and positioned to 
not only meet operational needs but also enhance your per¬ 
formance and your customers' satisfaction, measuring and 
evaluating your suppliers'performance, providing feedback 
to your suppliers to help them improve, and dealing with 
poorly performing suppliers. An organization with effective 
supply-chain risk management can account for emerging 
cyber supply-chain risk using near-real-time risk manage¬ 


ment information, coordinated among all relevant levels of 
the organization and external suppliers/partners. 

Q6, Q7. Your preparation for disasters and emergencies 
should consider all systems and assets that are needed to 
provide your products and services to customers, including 
supply-chain availability. It should also consider the extent 
to which your organization is part of customers' critical 
infrastructure. 
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7 


Results 


Results provide data and information (measures of progress) for evaluating, improving, and innovating cybersecurity-related 
processes, policies, and operations in alignment with your cybersecurity and organizational strategy. 

7.1 Cybersecurity Process Results: What are your cybersecurity performance and process 
effectiveness results? 

(1) What are your RESULTS for the PROTECTION of your systems and assets? 

(2) What are your RESULTS for the DETECTION of CYBERSECURITY EVENTS? 

(3) What are your RESULTS for your RESPONSE to CYBERSECURITY EVENTS? 

(4) What are your RESULTS for your RECOVERY from CYBERSECURITY EVENTS? 

(5) What are your PROCESS EFFECTIVENESS and efficiency RESULTS for your CYBERSECURITY operations? 

(6) What are your emergency preparedness RESULTS for your CYBERSECURITY operations? 

(7) What are your RESULTS for suppliers' and PARTNERS' understanding and fulfillment of their CYBERSECURITY roles and 
responsibilities? 

(8) What are your RESULTS for management of your CYBERSECURITY supply chain? 

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 


Notes 

7. The results you report in items 7.1-7.5 should provide key 
information for analyzing and reviewing your cybersecurity- 
related performance (item 4.1), demonstrate use of cyber¬ 
security knowledge (item 4.2), and provide the operational 
basis for customer-focused results (item 7.2) and financial 
results (item 7.5).There is not a one-to-one correspondence 
between results items and categories 1-6. Results should be 
considered systemically. Contributions to individual results 
items frequently stem from processes in more than one 
category. 

Q1-Q8. The results you report here should address the key 
operational requirements you identify in the Organizational 
Context section and in category 6. 

Q1 . Results for the protection of systems and assets should 
relate to the protection processes you describe in category 
6. These results might include, for example, the percentage 
of devices and/or software accurately recorded in inventory, 
the percentage of devices configured according to policy, 
the percentage of critical information servers supported 
by strong authentication, and the number of facilities with 
Personal Identity Verification (PIV)-based electronic locks. 

Q2. Results for the detection of cybersecurity events should 
relate to the detection processes you report in category 6. 
These results might include, for example, the number of 
anomalies detected, investigated, and resolved, and the 
percentage of planned vulnerability mitigation actions 
effectively completed. 


Q3. Results for your response to cybersecurity events should 
relate to the response processes you report in category 6. 
These results might include, for example, incident recovery 
and response time, number of disaster recovery incidents, 
and number of reports shared with Information Sharing and 
Analysis Organizations or other appropriate third parties. 

Q4. Results for your recovery from cybersecurity events 
should relate to the recovery processes you report in 
category 6. These results might include, for example, the 
time to restore lost availability, the time to access alternate 
availability mechanisms and restore services, and results of 
efforts to restore your organization's reputation. 

Q5. Process effectiveness and efficiency results for 
your cybersecurity operations might include those for 
simplification of jobs, waste reduction, and work layout 
improvements. 

Q6. Emergency preparedness results might include the 
cybersecurity operation's response times for emergency drills 
or exercises and results for work relocation or contingency 
exercises. 

Q8. Results for cybersecurity supply-chain performance 
might include the percentage of contracts that include 
cybersecurity monitoring and reporting requirements; 
supplier and partner audits; and acceptance results for exter¬ 
nally provided services and processes, as well as improve¬ 
ments in downstream supplier services to customers. 
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7.2 Customer Results: What are your customer-focused cybersecurity performance 
results? 

(1) What are your RESULTS for your internal and external CUSTOMERS' satisfaction and dissatisfaction with your 
CYBERSECURITY policies and operations? 

(2) What are your RESULTS for the impact of your organization's CYBERSECURITY policies and operations on CUSTOMER 
ENGAGEMENT? 

(3) What are your RESULTS for your internal and external CUSTOMERS' understanding and fulfillment of their 
CYBERSECURITY roles and responsibilities? 

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 


Notes 

7.2. Results for customer satisfaction, dissatisfaction, and 
engagement should relate to the customer groups you 
identify in C.lb(2) and to the listening and determination 
methods you report in item 3.1. 

Q1. Results might include, for example, survey results 
on customer satisfaction and dissatisfaction with cyber¬ 
security and privacy, and the number of complaints about 
cybersecurity-related issues. 


Q2. Results might include, for example, those for the impact 
of cybersecurity policies and procedures, incidents, and 
responses to incidents on customer loyalty, retention, and 
willingness to recommend. 

Q3. Results might include, for example, the number of 
potential incidents reported by external customers, the 
requirements for service-level agreements regarding recov¬ 
ery of critical customer systems, the percentage of customers 
who have changed their passwords regularly or within a 
specified time period, and the number of customer systems 
applying multifactor (strengthened) authentication. 


7.3 Workforce Results: What are your workforce-focused cybersecurity performance 
results? 

(1) What are your CAPABILITY and CAPACITY RESULTS for your CYBERSECURITY WORKFORCE? 

(2) What are your RESULTS for the ENGAGEMENT of your WORKFORCE in CYBERSECURITY matters? 

(3) What are your RESULTS for WORKFORCE members' fulfillment of their CYBERSECURITY roles and responsibilities? 

(4) What are your WORKFORCE and leader development RESULTS related to CYBERSECURITY? 

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 


Notes 

7.3. Results reported in this item should relate to the 
processes you report in category 5. Your results should 
also respond to the key work process needs you report in 
category 6 and to the action plans you report in item 2.2. 

Qi . Results might include, for example, the number of 
qualified referrals received through employee recommenda¬ 
tions, the percentage of cybersecurity vacancies remaining 
open for a specified number of days, and the percentage of 
staff members who have achieved necessary qualifications 
(e.g., Certified Information Security Manager [CISM], Certi¬ 
fied Information Systems Security Professional [CISSP]). 

Q2. Results should relate to the workforce engagement 
drivers you describe in C.la(3) and the methods of assessing 
engagement you describe in item 5.2. 


Q3. Results might include the percentage of employees who 
follow specific cybersecurity policies and practices, such as 
those who observe your organization's password practices. 

Q4. Results might include, for example, the percentage of 
employees who complete role-specific cybersecurity training, 
cybersecurity management training hours per full-time 
equivalent, the percentage of employees trained on incident 
handing, the percentage of employees trained to recognize 
and avoid email scams, the percentage of employees trained 
on how to secure an email browser, and the number of 
employees trained on use of guidelines for cell phone and 
personal device security. 
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7.4 Leadership and Governance Results: What are your cybersecurity leadership and 
governance results? 

(1) What are your RESULTS for leaders' communication and engagement with your organization's other leaders, your 
WORKFORCE, and your KEY CUSTOMERS and STAKEHOLDERS regarding CYBERSECURITY? 

(2) What are your RESULTS for GOVERNANCE accountability related to CYBERSECURITY? 

(3) What are your legal and regulatory RESULTS related to CYBERSECURITY? 

(4) What are your RESULTS for ETHICAL BEHAVIOR related to CYBERSECURITY? 

(5) What are your RESULTS for support of the CYBERSECURITY infrastructure of your KEY communities? 

(6) What are your RESULTS for the achievement of your CYBERSECURITY strategy and ACTION PLANS? 

Terms in SMALL CAPS are defined in the Clossary of Key Terms (pages 26-27). 


Notes 

Q1. Responses should include results relating to the com¬ 
munication processes you identify in item 1.1. 

Q2. Responses should include results relating to the 
governance processes you describe in item 1.2. These 
results might include financial statement issues and risks, 
important internal and external auditor recommendations, 
and management's responses to these matters. 

Q3. Legal and regulatory results should relate to the 
processes and measures you describe in item 1.2. Examples 
might be the percentage of business systems in compliance 
with legal and regulatory requirements, the number of com¬ 
pliance breaches, and the frequency of warnings/violation 
notices for cybersecurity infractions. 


Q4. Responses should relate to the processes for ensuring 
ethical behavior that you identify in item 1.2. 

Q5. Results for support of the cybersecurity infrastructure of 
your key communities might include the extent of external 
participation and collaboration to improve cybersecurity and 
results showing its effectiveness (e.g., improved detection 
using shared indicators of compromise). 

Q6. Results for strategy and action plan achievement should 
relate to the strategic objectives and goals you report in item 
2.1 and the action plan performance measures you report in 
item 2.2. 


7.5 Financial Results: What are your cybersecurity-related financial performance results? 

(1) What are your financial and budgetary PERFORMANCE RESULTS for your CYBERSECURITY operations? 

(2) What are your results for the impact of CYBERSECURITY costs on your organization's overall financial PERFORMANCE? 

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 26-27). 


Notes 

7.5. Results should relate to the financial measures you 
report in item 4.1 and the financial management approaches 
you report in item 2.2. 

Q1. Examples might include cybersecurity spending as a 
percentage of the IT budget, cost performance to budget, 
and lowering of costs as a result of increased efficiency. 


Q2. Examples might include cost savings or losses 
avoided (e.g., fines for nonconformance) produced by the 
information security program or through costs incurred 
from addressing information security events, cost/schedule 
variance in information security activities, and the impact 
of the cost of cybersecurity breaches on your organization's 
other financial results. 
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PJ Assessing Your Responses 

1. For each item (e.g., 1.1,1.2) in categories 1-7 of the Baldrige Cybersecurity Excellence Builder, use the process and 
results rubrics on pages 24-25 to assign a descriptor (Reactive, Early, Developing, Mature, Leading, or Exemplary) 
for each evaluation factor. 

For processes (categories 1-6), the evaluation factors are approach, deployment, learning, and integration (ADLI): 

• Approach consists of the methods used to carry out a process, the degree to which your approach is systematic 
(i.e., repeatable and based on reliable data and information), the appropriateness of these methods to the item 
questions and your operating environment, and the effectiveness of your use of the methods. 

• Deployment is the extent to which your approach is applied consistently and the extent to which it is used by all 
appropriate work units. 

• Learning is the refinement of your approach through cycles of evaluation and improvement, the encouragement 
of breakthrough change to your approach through innovation, and the sharing of refinements and innovations 
with other relevant work units and processes in your organization. 

• Integration is the extent to which your approach is aligned with the organizational needs identified in the Organi¬ 
zational Context section and in other process items. Integration also includes the extent to which your measures, 
information, and improvement systems are complementary across processes and work units; and the extent to 
which your plans, processes, results, analyses, learning, and actions are harmonized across processes and work 
units to support organization-wide goals. 

For results (category 7), the evaluation factors are levels, trends, comparisons, and integration (LeTCI;"let's see"). 

• Levels are your current performance on a meaningful measurement scale. 

• Trends are your rate of performance improvement or continuation of good performance in areas of importance 
(i.e., the slope of data points over time). 

• Comparisons are your performance relative to that of other, appropriate organizations, such as competitors or 
organizations similar to yours, and your performance relative to industry leaders or relevant benchmarks. 

• Integration is the extent to which your results address important performance requirements relating to customers, 
products/services, markets, processes, and action plans identified in the Organizational Context section and in the 
process items (categories 1-6). It also includes the extent to which your results reflect harmonization across your 
processes and work units to support organization-wide goals. 

2. Indicate the importance (high, medium, or low) of each item to the successful management of cybersecurity 
within your organization. 

3. Prioritize your actions. 

Celebrate your strengths of your cybersecurity risk management program, and build on them to improve what you do 
well. Sharing the things you do well with the rest of your organization can speed improvement. 

Prioritize your opportunities for improvement; you cannot do everything at once. Think about what is most important 
for your organization as a whole at this time, balancing the differing needs and expectations of your stakeholders, and 
decide what to work on first. Look at the next level in the rubric for how you might improve. Develop an action plan, 
implement it, and measure your progress. 


Assessing Your Responses 


23 







Eli Assessment Rubric 

Process (Categories 1-6) 


24 




gj o 

n3 (fi 

5—1 

HI ^ v c/5 

U bp C 

^ c o 

o 


C o3 

5 N 

o I 

g »D 


3 


o 

2J ^ 

^4= 

i ° I 

U bp-T3 

w .5 2 

w p y 

p 4 § ^ yj 

w .a $n -o 

£ Bb--S ‘ 

<D £ 

U X) 3 


c n 


CD 

CD 


03 

C/3 

w • 7 
£ § • 
U T3 .2 

g § X 
g a « 


5 § 

-d 

Si ■% 

03 O 
Id ^ 


bJD o 

O 03 

C N 


u 


03 


W D 60 
c/3 pj 5-i 
CD Z ° 

I 3 9 

5 < ^ 


7=1 cn 

.s 73 

03 X, CD 

6 -| g 

b 73 <3 
w O £ £ 

D !> tl o 


S o 


_u 

C/5 

Vh 

(D 

"2 

C 

.2 

u 

C/5 



c 

.2 

O 

CD 

73 

*2 

X 

O 

N 

’S 

03 

03 

N 

O 

CD 

73 

’2 

o 

D3 

CD 

N 

*2 

03 

Ip 

# N 

o; 

"£ 

X 

bo 

*2 

oj 

QJ 

"£ 

03 

CD 

bJD 

}-i 

’2 

03 


CD 

03 

o 

PiD 


CD 

5h 

j2 

O 

biD 

'oj 

CD 

CD 

CD 

Jh 

'a; 

CD 


CD 

Vh 

!—( 


X 

5-H 

7 

O 



s 

a 

o 


u 

w 

co 

CD 

W 

£ 

u 


£7 £ 

O oS ^ 
g -m -d 

£ a .5 

’- S—1 !—i M—i 

C 3 V 

• S <d 73 


c/5 O 
CD > 


r^H C/5 

.■H 73 

> CD 

> <u 

73 £ 

o3 js 

qj O 


73 

c 


u 

w 

C/5 

CD 

w 

£ 

u 


O 73 

6 

y —I 

03 

X 

3 

o 


>-, 
c ^ 

03 ^ 

■y "O 

C CD 

2 C 


7 (L) 

u 73 







03 U 







73 <*> 

y s 

>■, «2 y 

» .35 53 <; 

g -d ° O 

.y cd ‘ cd 

2 - S ^ cd 

s s ^ 

g- tj „!■ OJ 

- -9 d cH 7^ 

“ » h s 

c g !5 u w S 

S S° ds <u p- ex 

X rl X bd 

m u a a [a b 



■3 ii a 

2 >H Pa nj 

Ca 3 w B 


-d' cn 

s g 

>--d y 

» .q 53 <; 

g -d ° o 

,h CD 2 6h 

£ •§ 'a; & 

H F7 S" 1 U rT ^r CD 

F U O o3 7^ 

CD rn >h ^ 

v % $ 2 h -S 

tn W .2 u g g 

O P Tl CD E p_ 

^ fl 2 bl b-< QJ 

^ U Dh S w & 



o ^ „ 

D-, c3 W 


03 

w 


bO 

g 

U 

o 

'"S 

> 

<D 

P 


2 

rt 


bC 

•S 

'S 

03 

D 


cb 

'Sh 

g 

a> 

x 

w 


Baldrige Cybersecurity Excellence Builder 
























aS 


biD 
# P 

bO 
p 
o 

H C 

d B 

g .a 

p 

<d bo cd 

X 5-i vy 

^3 o u 

aj i_ ct3 

5-1 g j-H 

^ ^ o 
S O P 
0> 
g 


U 

w 

c/s 

P4 

PJ 

S3 

u 


g 3 


o 

p 


a 

o 


CD 

> 


as 

PH 


JD 

3 -d 

as a> 

aS u 
> aS 

<1 ±3 


o "2 
c ? 
0) S 

a 9- 


b 

£ 

w 

Pi 


o 
c 
01 

„ K5 

a; rP 


£ -S 

5 5-1 

6 % 
CJ o 
pj u 
co T3 

P4 CL) 
PJ v 
PQ u 
^ as 

U 4=1 



*73 ^ 
<D P-T 1 

"§ p 


L ' , H !_. 

S ^ O 
d a o 

U cfl 0* 

£ £ bp 

Pi p C 
5 ID B T) 

CO .<£ CL> 
PJ r- cn 
P4 g P 


<3 

CD 

C4 


CL) 


o 


I X! 


OS 

Oh 


O . 

U -Q 
CL) CD 

aS as 

CTh 5—i 

P ^ 

is ^ 


'O 

6 

as 

xT 

CD 

P4 


aS P 

^ g 

n *> 

y o 

PJ Ph 

£ g 


g o 

O X 

C/1 UO 



as 

H 


P 

co o 

y s 

§ .a 

w P 
P4 & 

_( to 

Xl 5—1 
CD O t3 

rS g B 

a p ^ 

J ^ H. 

& Q 


CD 

r/ +j b 

D C "* 

u s ss 



oS 

Oh 


I 

1 ■ 
as x3 

CD 

P W 
O P 
c/i 4= 


XJ 

P 

aS 

r P 

CD 

PP 


Cu 

as 

as 

X* 


CD 

> 

O 

P 

CD 


n ►> 

y o 

PJ Ph 


g ° 

O X 

C/1 05 



bO h- l 


bO 

g 

'SL 

o 

> 

O) 

Q 



CD U 
^ 2 
6 S 




W CO t rr 

eg s§ 

c ) ^ __> w 

^ X ^ P c^ 

^ ^ u m 

a ^ 9 o £ 

ss^S 


5 

ft 





U £ 

PJ □ 
co 1=; 
(V ^ 

W Sg 

§s § 

u r- d 

-i— 1 CD 

CD -+-J 

o 


o 

•s a 

9 cu S 

1 M 

S ? g 
t? S £ 

CD i 5-i 

p^: x o 

g ° ^ 

2 O CD 
4=1 bO Ph 


bO 

.S 

05 

hJ 



PJ P 


u 




w 3 .y P 

^ co x 3 

r, y g w 

U Pd -g Ph 


fc' 

'Sh 

s 

01 

X 

w 


Assessment Rubric 


25 
















II Glossary of Key Terms 

The terms below are those in SMALL CAPS in the Baldrige Cybersecurity Excellence Builder 
categories and assessment rubric. 


ACTION PLANS. Specific actions that your organization 
takes to reach its short- and longer-term strategic objectives. 
These plans specify the resources committed to and the time 
horizons for accomplishing the plans. See also STRATEGIC 
OBJECTIVES. 

ALIGNMENT. A state of consistency among plans, pro¬ 
cesses, information, resource decisions, workforce capability 
and capacity, actions, results, and analyses that support key 
organization-wide goals. See also INTEGRATION. 

APPROACH. The methods your organization uses to carry 
out its processes. 

BENCHMARKS. Processes and results that represent the 
best practices and best performance for similar activities, 
inside or outside your organization's industry. 

COLLABORATORS. Organizations or individuals who 
cooperate with your organization to support a particular 
activity or event or who cooperate intermittently when their 
short-term goals are aligned with or are the same as yours. 
See also PARTNERS. 

CORE COMPETENCIES. Your organization's areas of 
greatest expertise; those strategically important capabilities 
that are central to fulfilling your mission or that provide an 
advantage in your marketplace or service environment. 

CUSTOMER. An actual or potential user of your 
organization's products, programs, or services. See also 
STAKEHOLDERS. 

CUSTOMER ENGAGEMENT. Your customers'investment in 
or commitment to your brand and product offerings. 

CYBERSECURITY. The process of protecting information 
and assets by limiting the occurrence of, detecting, and 
responding to attacks. 

CYBERSECURITY EVENT. A cybersecurity change that may 
have an impact on organizational operations (including 
mission, capabilities, or reputation). 

DEPLOYMENT. The extent to which your organization 
applies an approach in relevant work units throughout your 
organization. 

DETECT. Develop and implement the appropriate activities 
to identify the occurrence of a cybersecurity event. Detect 
is one of the five functions included in the Cybersecurity 
Framework Core. The others are Identify, Protect, Respond, 
and Recover. 


EFFECTIVE. How well a process or a measure addresses its 
intended purpose. 

ETHICAL BEHAVIOR. The actions your organization takes 
to ensure that all its decisions, actions, and stakeholder 
interactions conform to its moral and professional principles 
of conduct. These principles should support all applicable 
laws and regulations and are the foundation for your 
organization's culture and values. 

GOALS. Future conditions or performance levels that your 
organization intends or desires to attain. See also PERFOR¬ 
MANCE PROJECTIONS. 

GOVERNANCE. The system of management and controls 
exercised in the stewardship of your organization. 

HIGH PERFORMANCE. Ever-higher levels of overall orga¬ 
nizational and individual performance, including quality, 
productivity, innovation rate, and cycle time. 

HOW. The systems and processes that your organization 
uses to achieve its mission requirements. 

IDENTIFY. Develop the organizational understanding to 
manage cybersecurity risk to systems, assets, data, and 
capabilities. Identify is one of the five functions included in 
the Cybersecurity Framework Core. The others are Protect, 
Detect, Respond, and Recover. 

INNOVATION. Making meaningful change to improve 
products/services, processes, or organizational effectiveness 
and create new value for stakeholders. The outcome of 
innovation is a discontinuous or breakthrough change. 

INTEGRATION. The harmonization of plans, processes, 
information, resource decisions, workforce capability and 
capacity, actions, results, and analyses to support key 
organization-wide goals. See also ALIGNMENT. 

KEY. Major or most important; critical to achieving your 
intended outcome. 

KNOWLEDGE ASSETS. Your organization's accumulated 
intellectual resources; the knowledge possessed by your 
organization and its workforce in the form of information, 
ideas, learning, understanding, memory, insights, cognitive 
and technical skills, and capabilities. 

LEARNING. New knowledge or skills acquired through 
evaluation, study, experience, and innovation. 

LEVELS. Numerical information that places or positions your 
organization's results and performance on a meaningful 
measurement scale. 
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MEASURES AND INDICATORS. Numerical information 
that quantifies the input, output, and performance dimen¬ 
sions of processes, products, programs, projects, services, 
and the overall organization (outcomes). 

MISSION. Your organization's overall function. 

PARTNERS. Key organizations or individuals who are work¬ 
ing in concert with your organization to achieve a common 
goal or improve performance. Typically, partnerships are 
formal arrangements. See also COLLABORATORS. 

PERFORMANCE. Outputs and their outcomes obtained 
from processes, products/services, and customers that permit 
you to evaluate and compare your organization's results to 
performance projections, standards, past results, goals, and 
other organizations' results. 

PERFORMANCE EXCELLENCE. An integrated approach to 
organizational performance management that results in (1) 
delivery of ever-improving value to customers and stake¬ 
holders, contributing to ongoing organizational success; (2) 
improvement of your organization's overall effectiveness and 
capabilities; and (3) learning for the organization and for 
people in the workforce. 

PERFORMANCE PROJECTIONS. Estimates of your organi¬ 
zation's future performance. See also GOALS. 

PROCESS. Linked activities with the purpose of producing 
a product or service for a customer (user) within or outside 
your organization. 

PROTECT. Develop and implement the appropriate 
safeguards to ensure delivery of critical infrastructure 
services. Protect is one of the five functions included in 
the Cybersecurity Framework Core. The others are Identify, 
Detect, Respond, and Recover. 

RECOVER. Develop and implement the appropriate 
activities to maintain plans for resilience and to restore any 
capabilities or services that were impaired due to a cyberse¬ 
curity event. Recover is one of the five functions included in 
the Cybersecurity Framework Core. The others are Identify, 
Protect, Detect, and Respond. 

RESPOND. Develop and implement the appropriate 
activities to take action regarding a detected cybersecurity 
event. Respond is one of the five functions included in 
the Cybersecurity Framework Core. The others are Identify, 
Protect, Detect, and Recover. 

RESULTS. Outputs and outcomes achieved by your 
organization. 

SEGMENT. One part of your organization's customer, 
market, product offering, or workforce base. 

SENIOR LEADERS. Your organization's senior management 
group or team. 


STAKEHOLDERS. All groups that are or might be affected by 
your organization's actions and success. See also CUSTOMER. 

STRATEGIC ADVANTAGES. Those marketplace benefits 
that exert a decisive influence on your organization's likeli¬ 
hood of future success. These advantages are frequently 
sources of current and future competitive success relative to 
other providers of similar products/services. 

STRATEGIC CHALLENGES. Those pressures that exert a 
decisive influence on your organization's likelihood of future 
success. These challenges are frequently driven by your 
organization's anticipated competitive position in the future 
relative to other providers of similar products/services. 

STRATEGIC OBJECTIVES. The aims or responses that 
your organization articulates to address major change or 
improvement, competitiveness or social issues, and business 
advantages. See also ACTION PLANS. 

SYSTEMATIC. Well-ordered, repeatable, and exhibiting the 
use of data and information so that learning is possible. 

TRENDS. Numerical information that shows the direction 
and rate of change of your organization's results or the 
consistency of its performance over time. 

VALUE. The perceived worth of a product, process, asset, or 
function relative to its cost and possible alternatives. 

VALUES. The guiding principles and behaviors that embody 
how your organization and its people are expected to 
operate. 

VISION. Your organization's desired future state. 

VOICE OF THE CUSTOMER. Your process for capturing 
customer-related information. 

WORK PROCESSES. Your organization's most important 
internal value-creation processes. 

WORKFORCE. All people actively supervised by your 
organization and involved in accomplishing your organiza¬ 
tion's work, including paid employees (e.g., permanent, 
part-time, temporary, and telecommuting employees, as well 
as contract employees supervised by your organization) and 
volunteers, as appropriate. 

WORKFORCE CAPABILITY. Your organization's ability to 
accomplish its work processes through its people's knowl¬ 
edge, skills, abilities, and competencies. 

WORKFORCE CAPACITY. Your organization's ability to 
ensure sufficient staffing levels to accomplish its work 
processes and deliver your products/services to customers, 
including the ability to meet seasonal or varying demand 
levels. 

WORKFORCE ENGAGEMENT. The extent of workforce 
members' emotional and intellectual commitment to accom¬ 
plishing your organization's work, mission, and vision. 


Glossary of Key Terms 
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Benefits of Using the Baldrige Cybersecurity Excellence Builder, 
by Organizational Role 


Role/Function Benefit of/Reason for Using the Baldrige Cybersecurity Excellence Builder 


Role/Function 

Benefit of/Reason for Using the Baldrige Cybersecurity Excellence Builder 

Board and 
Executive 
Management 

• Understand how internal and external cybersecurity should support organizational (business) 
objectives, including support for customers 

• Understand current and planned workforce engagement processes and their success 

• Understand opportunities to improve cybersecurity in alignment with organizational objectives 

• Understand the potential exposure of the organization's assets to various risks 

• Align cybersecurity policy and practices with the organization's mission, vision, and values 

Chief 

Information 

Officer 

(CIO) 

• Understand how cybersecurity affects organizational information management practices and 
culture 

• Improve communication and engagement with organizational leaders and the cybersecurity 
workforce 

• Understand how cybersecurity affects the organization's culture and environment 

Chief Information 
Security Officer 
(CISO) 

• Support the organization's commitment to legal and ethical behavior 

• Create and apply cybersecurity policy and practices to support the organization's mission, vision, 
and values 

• Respond to rapid or unexpected organizational or external changes 

• Support continuous improvement through periodic use of the self-assessment tool 

• Support organizational understanding of compliance with various contractual and/or regulatory 
requirements 

• Understand the effectiveness of workforce communication, learning, and engagement, as well as 
operational considerations for cybersecurity 

IT Process 
Management 

• Improve understanding of business requirements and mission objectives and their priorities 

• Determine the effectiveness of IT processes and potential improvements 

• Understand how aspects of cybersecurity are integrated with organizational change management 
processes 

Risk Management 

• Discern the impact of cybersecurity on internal/external customers, partners, and workforce 

• Improve understanding of how workforce engagement in cybersecurity and communication to the 
workforce about cybersecurity impact the organization's overall risk posture 

• Improve management of and communication about risk related to external suppliers and partners 

Legal/ 

Compliance Roles 

• Understand legal/ethical behavior on the part of the workforce, as well as the overall cultural 
environment 

• Understand how the organization applies cybersecurity-related policies and operations to ensure 
responsible governance, including legal, regulatory, and community concerns 

• Understand how the organization integrates external suppliers and partners into cybersecurity risk 
management, including contractual obligations for partners' cybersecurity protection and reporting 

Employees 

(Workforce) 

• Understand leaders' expectations 

• Be better prepared for changes in cybersecurity capability and capacity needs 

• Benefit from a workplace culture and environment characterized by open communication, high 
performance, and engagement in cybersecurity matters 

• Learn to fulfill their cybersecurity roles and responsibilities 
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Crosswalk: Baldrige Cybersecurity Excellence Builder and 
Cybersecurity Framework 



Related Sections in the Cybersecurity Framework 

Cybersecurity Excellence Builder 
Categories and Items 

2.4, Figure 2: Notional 
Information and Decision Flows 

3.2, Establishing or 
Improving a Cybersecurity 
Program 

Appendix A: 
Framework Core 
Functions and 
Categories 1 

C Organizational Context 

C.l Organizational Description 

Executive Level 

Step 1: Prioritize and Scope; 

Step 2: Orient 

ID-AM, ID-BE, 
ID-SC 

C.2 Organizational Situation 

Executive Level; Changes in 
Current and Future Risk 

Step 1: Prioritize and Scope; 

Step 2: Orient 

ID-BE, ID-RM 

1 Leadership 

1.1 Leading for Cybersecurity 

Executive Level 

Step 1: Prioritize and Scope; 

Step 2: Orient 

ID-BE, RC-CO 

1.2 Governance and Societal 
Responsibilities 

Executive Level 

Step 2: Orient 

ID-GV, RS-CO 

2 Strategy 

2.1 Strategy Development 

Business/Process Level; Mission 
Priority and Risk Appetite and 
Budget; Changes in Current 
and Future Risk 

Step 1: Prioritize and Scope; 

Step 2: Orient; Step 4: Conduct 
a Risk Assessment; 

Step 5: Create a Target Profile; 
Step 6: Determine, Analyze, and 
Prioritize Gaps 

ID-BE, ID-GV, 
ID-RA, ID-RM, 
ID-SC 

2.2 Strategy Implementation 

Business/Process Level; Mission 
Priority and Risk Appetite and 
Budget; Changes in Current 
and Future Risk 

Step 1: Prioritize and Scope; 

Step 2: Orient; 

Step 5: Create a Target Profile; 
Step 7: Implement Action Plan 

ID-BE, ID-GV, 
ID-RA, ID-RM 

3 Customers 

3.1 Voice of the Customer 

Business/Process Management; 
Implementation/ 

Operations Level 

Step 3: Create a Current Profile; 
Step 5: Create a Target Profile 

ID-BE 

3.2 Customer Engagement 

Business/Process Management; 
Implementation/ 

Operations Level 

Step 3: Create a Current Profile; 
Step 5: Create a Target Profile 

ID-AM, PR-AT, 
RS-CO, RC-CO 

4 Measurement, Analysis, and Knowledge Management 

4.1 Measurement, Analysis, 
and Improvement of 
Performance 

Implementation Progress 

Step 6: Determine, Analyze, 
and Prioritize Gaps 

DE-AE, DE-DP, 
RS-IM, RC-IM 

4.2 Knowledge Management 

Business/Process Management; 
Implementation/ 

Operations Level 

Step 6: Determine, Analyze, 
and Prioritize Gaps 

ID-RA, DE-AE, 
RS-CO 


1 The Cybersecurity Frnmezuork functions are Identify (ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC). For definitions of these functions, 
see the glossary. For a detailed explanation of the categories within these functions, see the Cybersecurity Framezvork (www.nist.gov/cyberframework). 

(Continued on the next page) 
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Crosswalk ( continued) 



Related Sections in the Cybersecurity Framework 

Cybersecurity Excellence Builder 
Categories and Items 

2.4, Figure 2: Notional 
Information and Decision Flows 

3.2, Establishing or 
Improving a Cybersecurity 
Program 

Appendix A: 
Framework Core 
Functions and 
Categories 1 

5 Workforce 

5.1 Workforce Environment 

Business/Process Management; 
Implementation/ 

Operations Level 

Step 3: Create a Current Profile; 
Step 5: Create a Target Profile 

ID-AM, ID-GV, 

PR-IP, DE-DP, 
RS-CO 

5.2 Workforce Engagement 

Business/Process Management; 
Implementation/ 

Operations Level 

Step 3: Create a Current Profile; 
Step 5: Create a Target Profile 

PR-AT, PR-IP, 
RS-CO 

6 Operations 

6.1 Work Processes 

Implementation/ 

Operations Level 

Step 2: Orient; Step 3: Create 
a Current Profile; Step 4: 

Conduct a Risk Assessment; 

Step 5: Create a Target Profile 

PR-AC, PR-DS, 

PR-IP, PR-MA, 
DE-AE, DE-CM, 
DE-DP, RS-RP, 
RS-AN, RS-IM, 
RS-MI, RC-RP, 
RC-IM 

6.2 Operational Effectiveness 

Implementation/ 

Operations Level 

Step 3: Create a Current Profile; 
Step 5: Create a Target Profile 

ID-AM, ID-BE, 
ID-SC, PR-AT, 

PR-IP 

7 Results 

7.1 Cybersecurity Process 
Results 

Implementation Progress 

Step 3: Create a Current Profile; 
Step 5: Create a Target Profile 

PR-AC, PR-DS, 

PR-IP, PR-MA, 
DE-AE, DE-CM, 
DE-DP, RS-RP, 
RS-AN, RS-IM, 
RS-MI, RC-RP, 
RC-IM 

7.2 Customer Results 

Implementation Progress 

Step 3: Create a Current Profile; 
Step 5: Create a Target Profile 

ID-BE, ID-AM, 
PR-AT, RS-CO, 
RC-CO 

7.3 Workforce Results 

Implementation Progress 

Step 3: Create a Current Profile; 
Step 5: Create a Target Profile 

ID-AM, ID-GV, 
PR-IP, DE-DP, 
RS-CO, PR-AT, 
PR-IP, RS-CO 

7.4 Leadership and 

Governance Results 

Implementation Progress 

Step 3: Create a Current Profile; 
Step 5: Create a Target Profile 

ID-BE, ID-GV, 
ID-RA, ID-RM, 
RC-CO 

7.5 Financial Results 

Implementation Progress 

Step 3: Create a Current Profile; 
Step 5: Create a Target Profile 

ID-BE 


30 


Baldrige Cybersecurity Excellence Builder 



























Self-Analysis Worksheet 

For a spreadsheet version of this worksheet, see www.nist.gov/baldrige/products-services/baldrige-cybersecurity-initiative. 



Reactive, Early, Developing, Mature, 

Leading, or Exemplary? 

High, Medium, 
or Low? 

Process (Categories 1-6) 

Approach 

Deployment 

Learning 

Integration 

Importance 

1 Leadership 

1.1 Leading for Cybersecurity: How do your 
senior and cybersecurity leaders lead your 
cybersecurity policies and operations? 






1.2 Governance and Societal Responsibilities: 
How do you govern your cybersecurity 
policies and operations and fulfill 
your cybersecurity-related societal 
responsibilities? 






2 Strategy 

2.1 Strategy Development: How do you 
include cybersecurity considerations in 
your strategy development? 






2.2 Strategy Implementation: How do you 
implement the cybersecurity-related 
elements of your strategy? 






3 Customers 

3.1 Voice of the Customer: How do you 

obtain cybersecurity-related information 
from your customers? 






3.2 Customer Engagement: How do you 
engage customers in cybersecurity 
by serving their needs and building 
relationships? 






4 Measurement, Analysis, and Knowledge Management 

4.1 Measurement, Analysis, and Improvement 
of Performance: How do you measure, 
analyze, and then improve cybersecurity- 
related performance? 






4.2 Knowledge Management: How do you 
manage your organization's cybersecurity- 
related knowledge assets? 






5 Workforce 

5.1 Workforce Environment: How do 
you build an effective and supportive 
environment for your cybersecurity 
workforce? 






5.2 Workforce Engagement: How do you 
engage your workforce to achieve a high- 
performance work environment in support 
of cybersecurity policies and operations? 







(Continued on the next page) 
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Self-Analysis Worksheet ( continued ) 



Reactive, Early, Developing, Mature, 

Leading, or Exemplary? 

High, Medium, 
or Low? 

Process (Categories 1-6) 

Approach 

Deployment 

Learning 

Integration 

Importance 

6 Operations 

6.1 Work Processes: How do you design, 
manage, and improve your key 
cybersecurity work processes? 






6.2 Operational Effectiveness: How do you 
ensure effective management of your 
cybersecurity operations? 









Reactive, Early, Developing, Mature, 

Leading, or Exemplary? 

High, Medium, 
or Low? 


Results (Category 7) 

Levels 

Trends 

Comparisons 

Integration 

Importance 

7.1 

Cybersecurity Process Results: What 
are your cybersecurity performance and 
process effectiveness results? 






7.2 

Customer Results: What are your 
customer-focused cybersecurity 
performance results? 






7.3 

Workforce Results: What are your 
workforce-focused cybersecurity 
performance results? 






7.4 

Leadership and Governance Results: 

What are your cybersecurity leadership 
and governance results? 






7.5 

Financial Results: What are your 
cybersecurity-related financial 
performance results? 







BALDRIGE EXCELLENCE FRAMEWORK™ is a trademark, and BALDRIGE PERFORMANCE EXCELLENCE PROGRAM and Design®, 
MALCOLM BALDRIGE NATIONAL QUALITY AWARD®, and PERFORMANCE EXCELLENCE® are federally registered trademarks, of 
the U.S. Department of Commerce, National Institute of Standards and Technology. The unauthorized use of these trademarks and 
service marks is prohibited. 
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Baldrige Cybersecurity Excellence Builder 


























You've used the Baldrige Cybersecurity Excellence Builder 
to assess your organization's cybersecurity program. 

WHAT'S NEXT? ■ J H 


Tell Us about Your Experience 7 m > »*uvv\ ^ 

Submit feedback on the Baldrige Cybersecurity Excellence Builder at www.nist.gov/baldrige/products-services/ 
baldrige-cybersecurity-initiative. 

Learn More about the Baldrige Cybersecurity Initiative 

See www.nist.gov/baldrige/products-services/baldrige-cybersecurity-initiative to learn more about this initiative. 


Learn More about the Cybersecurity Framework 

The Framework for Improving Critical Infrastructure Cybersecurity (www.nist.gov/cyberframework) is voluntary 
guidance, based on existing standards, guidelines, and practices, for organizations to better manage and reduce 
cybersecurity risk. 


Download the Baldrige Excellence Builder 

The Baldrige Excellence Builder (www.nist.gov/baldrige/products-services/baldrige-excellence-builder) includes 
key questions for improving your organization's overall performance. It is based on the Baldrige Excellence 
Framework's Criteria for Performance Excellence. 


Purchase the Baldrige Excellence Framework Booklet 

The Baldrige Excellence Framework (Business/Nonprofit, Education, or Health Care; www.nist.gov/baldrige/ 
products-services/baldrige-excellence-framework) is a comprehensive guide to organizational 
performance excellence. 


Attend the Quest for Excellence® Conference 

At Quest (www.nist.gov/baldrige/qe) and other Baldrige conferences, you will learn best performance 
management practices from Baldrige Award recipients. 


Contact the Baldrige Program 

We'll answer your questions on these and other products and services. 

www.nist.gov/baldrige | 301.975.2036 | baldrige@nist.gov 






National Institute of Standards and Technology (NIST) 

The mission of NIST, an agency of the U.S. Department of Commerce, is to promote U.S. innovation and 
industrial competitiveness by advancing measurement science, standards, and technology in ways that 
enhance economic security and improve our quality of life. 


Baldrige Performance Excellence Program 

Created by Congress in 1987, the Baldrige Program is a unique public-private partnership that is dedicated 
to helping organizations improve their performance and succeed in the global marketplace. The program 
administers the Presidential Malcolm Baldrige National Quality Award. In collaboration with the greater 
Baldrige community, we address critical national needs through 

• a systems approach to achieving organizational excellence; 

• organizational self-assessment tools and analysis of organizational strengths and 
opportunities for improvement by a team of trained experts; 

• training, executive education, conferences, and workshops on proven best management 
practices and on using the Baldrige Excellence Framework to improve; 

• Baldrige-based approaches to cybersecurity risk management and community excellence; and 


• support for and partnership with the Alliance for Performance Excellence 

(www.baldrigepe.org/alliance), a national network of Baldrige-based organizations. 


Applied Cybersecurity Division, Information Technology Laboratory 

As one of the major research components of NIST, the Information Technology Laboratory has the broad 
mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, 
standards, and technology through research and development in information technology, mathematics, and 
statistics. The Applied Cybersecurity Division (www.nist.gov/itl/applied-cybersecurity) implements practical 
cybersecurity and privacy through outreach and effective application of standards and best practices 
necessary for the U.S. to adopt cybersecurity capabilities. The Division: 

• develops cybersecurity standards and guidelines in an open, transparent, and collaborative way; 

• does cybersecurity testing and measurement—from developing test suites and methods to 
validating cryptographic modules; and 

• advances applied cybersecurity—applications of NIST's research, standards, and testing and 
measurement work. 


Foundation for the Malcolm Baldrige National Quality Award 

The mission of the Baldrige Foundation (www.baldrigefoundation.org) is to ensure the long-term financial 
growth and viability of the Baldrige Performance Excellence Program and to support organizational 
performance excellence in the United States and throughout the world. 


For more information: 

www.nist.gov/baldrige | 301.975.2036 | baldrige@nist.gov 


CONNECT WITH BALDRIGE 

@BaldrigeProgram #Baldrige 

NIST 

National Institute of 
Standards and Technology 

U.S. Department of Commerce 
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